Linksys Routers Malware ‘The Moon’ Spreading

Linksys router users might want to take some extra precautions. Johannes B. Ullrich, a security researcher at the SANS Technology Institute, has revealed that the company’s wireless routers are being targeted by malware, essentially a self replicating worm, which exploits code execution and authentication bypass vulnerabilities. Basically the Linksys router malware is spreading from router to router, attacking the existing firmware and then replicating itself. It dubbed as “The Moon.”

Ullrich says that The Moon scans for vulnerable devices as it looks to continue spreading, over 1,000 Linksys E1000, E1200 and E2400 are already believed to be infected by the malware. The way The Moon spreads is by first remotely calling the Home Network Administration Protocol or HNAP through which networking devices can be managed, configured and identified. Once the model and firmware version is obtained, and the device is found to be vulnerable, the malware sends a CGI script exploit in order to get local command execution access. Belkin, Linksys’s parent company, has confirmed that there exists a security flaw in the HNAP1 implementation, and that its exploit code can be found online. They’re still analyzing what the worm exactly does, but at this time it appears that all it does is spread from one device to another without wreaking havoc. If you happen to use a Linksys router, particularly the models mentioned, then it would be best to disable remote administration outright, or just limit the remote administration rights that have been provided to a select few trusted IP addresses.